mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

force certutil to always return 255 on error. Make sure there is only one pointer to password callback arg.

This commit is contained in:
mcgreer%netscape.com 2001-08-09 20:57:58 +00:00
Родитель 21ba42ba45
Коммит ca1878cfa5
2 изменённых файлов: 52 добавлений и 76 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

116
security/nss/cmd/certutil/certutil.c
Просмотреть файл

@ -609,27 +609,21 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
static SECStatus static SECStatus
ListCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, ListCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
PRBool raw, PRBool ascii, PRFileDesc *outfile, char *passFile) PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata)
{ {
SECStatus rv; SECStatus rv;
secuPWData pwdata = { PW_NONE, 0 };
if (passFile) {
pwdata.source = PW_FROMFILE;
pwdata.data = passFile;
}
if (slot == NULL) { if (slot == NULL) {
PK11SlotList *list; PK11SlotList *list;
PK11SlotListElement *le; PK11SlotListElement *le;
list= PK11_GetAllTokens(CKM_INVALID_MECHANISM, list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,
PR_FALSE,PR_FALSE,&pwdata); PR_FALSE,PR_FALSE,pwdata);
if (list) for (le = list->head; le; le = le->next) { if (list) for (le = list->head; le; le = le->next) {
rv = listCerts(handle,name,le->slot,raw,ascii,outfile,&pwdata); rv = listCerts(handle,name,le->slot,raw,ascii,outfile,pwdata);
} }
} else { } else {
rv = listCerts(handle,name,slot,raw,ascii,outfile,&pwdata); rv = listCerts(handle,name,slot,raw,ascii,outfile,pwdata);
} }
return rv; return rv;
} }
@ -898,15 +892,9 @@ listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
static SECStatus static SECStatus
ListKeys(PK11SlotInfo *slot, char *keyname, int index, ListKeys(PK11SlotInfo *slot, char *keyname, int index,
KeyType keyType, PRBool dopriv, char *passFile) KeyType keyType, PRBool dopriv, secuPWData *pwdata)
{ {
SECStatus rv = SECSuccess; SECStatus rv = SECSuccess;
secuPWData pwdata = { PW_NONE, 0 };
if (passFile) {
pwdata.source = PW_FROMFILE;
pwdata.data = passFile;
}
#ifdef notdef #ifdef notdef
if (keyname) { if (keyname) {
@ -925,12 +913,12 @@ ListKeys(PK11SlotInfo *slot, char *keyname, int index,
PK11SlotList *list; PK11SlotList *list;
PK11SlotListElement *le; PK11SlotListElement *le;
list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,&pwdata); list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,pwdata);
if (list) for (le = list->head; le; le = le->next) { if (list) for (le = list->head; le; le = le->next) {
rv = listKeys(le->slot,keyType,&pwdata); rv = listKeys(le->slot,keyType,pwdata);
} }
} else { } else {
rv = listKeys(slot,keyType,&pwdata); rv = listKeys(slot,keyType,pwdata);
} }
return rv; return rv;
} }
@ -1270,7 +1258,7 @@ static void LongUsage(char *progName)
" -6 "); " -6 ");
FPS "\n"); FPS "\n");
exit(-1); exit(1);
#undef FPS #undef FPS
} }
@ -2220,7 +2208,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s -g: Keysize must be between %d and %d.\n", "%s -g: Keysize must be between %d and %d.\n",
MIN_KEY_BITS, MAX_KEY_BITS); MIN_KEY_BITS, MAX_KEY_BITS);
return -1; return 255;
} }
} }
@ -2243,7 +2231,7 @@ main(int argc, char **argv)
} else { } else {
PR_fprintf(PR_STDERR, "%s -k: %s is not a recognized type.\n", PR_fprintf(PR_STDERR, "%s -k: %s is not a recognized type.\n",
progName, certutil.options[opt_KeyType].arg); progName, certutil.options[opt_KeyType].arg);
return -1; return 255;
} }
} }
@ -2253,7 +2241,7 @@ main(int argc, char **argv)
if (serialNumber < 0) { if (serialNumber < 0) {
PR_fprintf(PR_STDERR, "%s -m: %s is not a valid serial number.\n", PR_fprintf(PR_STDERR, "%s -m: %s is not a valid serial number.\n",
progName, certutil.options[opt_SerialNumber].arg); progName, certutil.options[opt_SerialNumber].arg);
return -1; return 255;
} }
} }
@ -2266,7 +2254,7 @@ main(int argc, char **argv)
if (keytype != dsaKey) { if (keytype != dsaKey) {
PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)", PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
progName); progName);
return -1; return 255;
} }
} }
@ -2276,7 +2264,7 @@ main(int argc, char **argv)
if (!subject) { if (!subject) {
PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n", PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n",
progName, certutil.options[opt_Subject].arg); progName, certutil.options[opt_Subject].arg);
return -1; return 255;
} }
} }
@ -2286,7 +2274,7 @@ main(int argc, char **argv)
if (validitylength < 0) { if (validitylength < 0) {
PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n", PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n",
progName, certutil.options[opt_Validity].arg); progName, certutil.options[opt_Validity].arg);
return -1; return 255;
} }
} }
@ -2303,7 +2291,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.", PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.",
progName, publicExponent); progName, publicExponent);
PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n"); PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n");
return -1; return 255;
} }
} }
@ -2325,7 +2313,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, " -%c", certutil.commands[i].flag); PR_fprintf(PR_STDERR, " -%c", certutil.commands[i].flag);
} }
PR_fprintf(PR_STDERR, "\n"); PR_fprintf(PR_STDERR, "\n");
return -1; return 255;
} }
if (commandsEntered == 0) { if (commandsEntered == 0) {
PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName); PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);
@ -2343,7 +2331,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s -%c: nickname is required for this command (-n).\n", "%s -%c: nickname is required for this command (-n).\n",
progName, commandToRun); progName, commandToRun);
return -1; return 255;
} }
/* -A, -E, -M, -S require trust */ /* -A, -E, -M, -S require trust */
@ -2355,7 +2343,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s -%c: trust is required for this command (-t).\n", "%s -%c: trust is required for this command (-t).\n",
progName, commandToRun); progName, commandToRun);
return -1; return 255;
} }
/* if -L is given raw or ascii mode, it must be for only one cert. */ /* if -L is given raw or ascii mode, it must be for only one cert. */
@ -2366,7 +2354,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s: nickname is required to dump cert in raw or ascii mode.\n", "%s: nickname is required to dump cert in raw or ascii mode.\n",
progName); progName);
return -1; return 255;
} }
/* -L can only be in (raw || ascii). */ /* -L can only be in (raw || ascii). */
@ -2376,7 +2364,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s: cannot specify both -r and -a when dumping cert.\n", "%s: cannot specify both -r and -a when dumping cert.\n",
progName); progName);
return -1; return 255;
} }
/* For now, deny -C -x combination */ /* For now, deny -C -x combination */
@ -2385,7 +2373,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s: self-signing a cert request is not supported.\n", "%s: self-signing a cert request is not supported.\n",
progName); progName);
return -1; return 255;
} }
/* If making a cert request, need a subject. */ /* If making a cert request, need a subject. */
@ -2395,7 +2383,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s -%c: subject is required to create a cert request.\n", "%s -%c: subject is required to create a cert request.\n",
progName, commandToRun); progName, commandToRun);
return -1; return 255;
} }
/* If making a cert, need a serial number. */ /* If making a cert, need a serial number. */
@ -2413,7 +2401,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s -V: specify a usage to validate the cert for (-u).\n", "%s -V: specify a usage to validate the cert for (-u).\n",
progName); progName);
return -1; return 255;
} }
/* To make a cert, need either a issuer or to self-sign it. */ /* To make a cert, need either a issuer or to self-sign it. */
@ -2423,7 +2411,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s -S: must specify issuer (-c) or self-sign (-x).\n", "%s -S: must specify issuer (-c) or self-sign (-x).\n",
progName); progName);
return -1; return 255;
} }
/* Using slotname == NULL for listing keys and certs on all slots, /* Using slotname == NULL for listing keys and certs on all slots,
@ -2433,7 +2421,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s -%c: cannot use \"-h all\" for this command.\n", "%s -%c: cannot use \"-h all\" for this command.\n",
progName, commandToRun); progName, commandToRun);
return -1; return 255;
} }
/* Using keytype == nullKey for list all key types, but only that. */ /* Using keytype == nullKey for list all key types, but only that. */
@ -2441,7 +2429,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
"%s -%c: cannot use \"-k all\" for this command.\n", "%s -%c: cannot use \"-k all\" for this command.\n",
progName, commandToRun); progName, commandToRun);
return -1; return 255;
} }
/* -S open outFile, temporary file for cert request. */ /* -S open outFile, temporary file for cert request. */
@ -2452,7 +2440,7 @@ main(int argc, char **argv)
"%s -o: unable to open \"%s\" for writing (%ld, %ld)\n", "%s -o: unable to open \"%s\" for writing (%ld, %ld)\n",
progName, certreqfile, progName, certreqfile,
PR_GetError(), PR_GetOSError()); PR_GetError(), PR_GetOSError());
return -1; return 255;
} }
} }
@ -2464,7 +2452,7 @@ main(int argc, char **argv)
"%s: unable to open \"%s\" for reading (%ld, %ld).\n", "%s: unable to open \"%s\" for reading (%ld, %ld).\n",
progName, certutil.options[opt_InputFile].arg, progName, certutil.options[opt_InputFile].arg,
PR_GetError(), PR_GetOSError()); PR_GetError(), PR_GetOSError());
return -1; return 255;
} }
} }
@ -2477,7 +2465,7 @@ main(int argc, char **argv)
"%s: unable to open \"%s\" for writing (%ld, %ld).\n", "%s: unable to open \"%s\" for writing (%ld, %ld).\n",
progName, certutil.options[opt_OutputFile].arg, progName, certutil.options[opt_OutputFile].arg,
PR_GetError(), PR_GetOSError()); PR_GetError(), PR_GetOSError());
return -1; return 255;
} }
} }
@ -2491,7 +2479,7 @@ main(int argc, char **argv)
"secmod.db", 0); "secmod.db", 0);
if (rv != SECSuccess) { if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName); SECU_PrintPRandOSError(progName);
return -1; return 255;
} }
certHandle = CERT_GetDefaultCertDB(); certHandle = CERT_GetDefaultCertDB();
@ -2517,52 +2505,46 @@ main(int argc, char **argv)
rv = ListCerts(certHandle, name, slot, rv = ListCerts(certHandle, name, slot,
certutil.options[opt_BinaryDER].activated, certutil.options[opt_BinaryDER].activated,
certutil.options[opt_ASCIIForIO].activated, certutil.options[opt_ASCIIForIO].activated,
(outFile) ? outFile : PR_STDOUT, (outFile) ? outFile : PR_STDOUT, &pwdata);
certutil.options[opt_PasswordFile].arg); return (!rv - 1) % 255;
return !rv - 1;
} }
/* XXX needs work */ /* XXX needs work */
/* List keys (-K) */ /* List keys (-K) */
if (certutil.commands[cmd_ListKeys].activated) { if (certutil.commands[cmd_ListKeys].activated) {
rv = ListKeys(slot, name, 0 /*keyindex*/, keytype, PR_FALSE /*dopriv*/, rv = ListKeys(slot, name, 0 /*keyindex*/, keytype, PR_FALSE /*dopriv*/,
certutil.options[opt_PasswordFile].arg); &pwdata);
return !rv - 1; return (!rv - 1) % 255;
} }
/* List modules (-U) */ /* List modules (-U) */
if (certutil.commands[cmd_ListModules].activated) { if (certutil.commands[cmd_ListModules].activated) {
rv = ListModules(); rv = ListModules();
return !rv - 1; return (!rv - 1) % 255;
} }
/* Delete cert (-D) */ /* Delete cert (-D) */
if (certutil.commands[cmd_DeleteCert].activated) { if (certutil.commands[cmd_DeleteCert].activated) {
rv = DeleteCert(certHandle, name); rv = DeleteCert(certHandle, name);
return !rv - 1; return (!rv - 1) % 255;
} }
/* Delete key (-F) */ /* Delete key (-F) */
if (certutil.commands[cmd_DeleteKey].activated) { if (certutil.commands[cmd_DeleteKey].activated) {
rv = DeleteKey(name, &pwdata); rv = DeleteKey(name, &pwdata);
return !rv - 1; return (!rv - 1) % 255;
} }
/* Modify trust attribute for cert (-M) */ /* Modify trust attribute for cert (-M) */
if (certutil.commands[cmd_ModifyCertTrust].activated) { if (certutil.commands[cmd_ModifyCertTrust].activated) {
rv = ChangeTrustAttributes(certHandle, name, rv = ChangeTrustAttributes(certHandle, name,
certutil.options[opt_Trust].arg); certutil.options[opt_Trust].arg);
return !rv - 1; return (!rv - 1) % 255;
} }
/* Change key db password (-W) (future - change pw to slot?) */ /* Change key db password (-W) (future - change pw to slot?) */
if (certutil.commands[cmd_ChangePassword].activated) { if (certutil.commands[cmd_ChangePassword].activated) {
rv = SECU_ChangePW(slot, 0, certutil.options[opt_PasswordFile].arg); rv = SECU_ChangePW(slot, 0, certutil.options[opt_PasswordFile].arg);
return !rv - 1; return (!rv - 1) % 255;
} }
/* Check cert validity against current time (-V) */ /* Check cert validity against current time (-V) */
if (certutil.commands[cmd_CheckCertValidity].activated) { if (certutil.commands[cmd_CheckCertValidity].activated) {
/* XXX temporary hack for fips - must log in to get priv key */ /* XXX temporary hack for fips - must log in to get priv key */
if (certutil.options[opt_VerifySig].activated) { if (certutil.options[opt_VerifySig].activated) {
secuPWData pwdata = { PW_NONE, 0 };
if (certutil.options[opt_PasswordFile].arg) {
pwdata.source = PW_FROMFILE;
pwdata.data = certutil.options[opt_PasswordFile].arg;
}
if (PK11_NeedLogin(slot)) if (PK11_NeedLogin(slot))
PK11_Authenticate(slot, PR_TRUE, &pwdata); PK11_Authenticate(slot, PR_TRUE, &pwdata);
} }
@ -2572,7 +2554,7 @@ main(int argc, char **argv)
certutil.options[opt_VerifySig].activated, certutil.options[opt_VerifySig].activated,
certutil.options[opt_DetailedInfo].activated, certutil.options[opt_DetailedInfo].activated,
&pwdata); &pwdata);
return !rv - 1; return (!rv - 1) % 255;
} }
/* /*
@ -2590,10 +2572,10 @@ main(int argc, char **argv)
certutil.options[opt_NoiseFile].arg, certutil.options[opt_NoiseFile].arg,
&pubkey, &pubkey,
certutil.options[opt_PQGFile].arg, certutil.options[opt_PQGFile].arg,
certutil.options[opt_PasswordFile].arg); &pwdata);
if (privkey == NULL) { if (privkey == NULL) {
SECU_PrintError(progName, "unable to generate key(s)\n"); SECU_PrintError(progName, "unable to generate key(s)\n");
return -1; return 255;
} }
privkey->wincx = &pwdata; privkey->wincx = &pwdata;
PORT_Assert(pubkey != NULL); PORT_Assert(pubkey != NULL);
@ -2616,7 +2598,7 @@ main(int argc, char **argv)
certutil.options[opt_ASCIIForIO].activated, certutil.options[opt_ASCIIForIO].activated,
outFile ? outFile : PR_STDOUT); outFile ? outFile : PR_STDOUT);
if (rv) if (rv)
return -1; return 255;
privkey->wincx = &pwdata; privkey->wincx = &pwdata;
} }
@ -2633,13 +2615,13 @@ main(int argc, char **argv)
if (!inFile) { if (!inFile) {
PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n", PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
certreqfile, PR_GetError(), PR_GetOSError()); certreqfile, PR_GetError(), PR_GetOSError());
return -1; return 255;
} }
outFile = PR_Open(certfile, PR_RDWR | PR_CREATE_FILE, 00660); outFile = PR_Open(certfile, PR_RDWR | PR_CREATE_FILE, 00660);
if (!outFile) { if (!outFile) {
PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n", PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
certfile, PR_GetError(), PR_GetOSError()); certfile, PR_GetError(), PR_GetOSError());
return -1; return 255;
} }
} }
@ -2659,7 +2641,7 @@ main(int argc, char **argv)
certutil.options[opt_AddCRLDistPtsExt].activated, certutil.options[opt_AddCRLDistPtsExt].activated,
certutil.options[opt_AddNSCertTypeExt].activated); certutil.options[opt_AddNSCertTypeExt].activated);
if (rv) if (rv)
return -1; return 255;
} }
/* /*
@ -2673,7 +2655,7 @@ main(int argc, char **argv)
if (!inFile) { if (!inFile) {
PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n", PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
certfile, PR_GetError(), PR_GetOSError()); certfile, PR_GetError(), PR_GetOSError());
return -1; return 255;
} }
} }
@ -2686,7 +2668,7 @@ main(int argc, char **argv)
certutil.options[opt_ASCIIForIO].activated, certutil.options[opt_ASCIIForIO].activated,
certutil.commands[cmd_AddEmailCert].activated); certutil.commands[cmd_AddEmailCert].activated);
if (rv) if (rv)
return -1; return 255;
} }
if (certutil.commands[cmd_CreateAndAddCert].activated) { if (certutil.commands[cmd_CreateAndAddCert].activated) {

12
security/nss/cmd/certutil/keystuff.c
Просмотреть файл

@ -306,14 +306,13 @@ SECKEYPrivateKey *
CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
int publicExponent, char *noise, int publicExponent, char *noise,
SECKEYPublicKey **pubkeyp, char *pqgFile, SECKEYPublicKey **pubkeyp, char *pqgFile,
char *passFile) secuPWData *pwdata)
{ {
CK_MECHANISM_TYPE mechanism; CK_MECHANISM_TYPE mechanism;
SECOidTag algtag; SECOidTag algtag;
PK11RSAGenParams rsaparams; PK11RSAGenParams rsaparams;
PQGParams *dsaparams = NULL; PQGParams *dsaparams = NULL;
void *params; void *params;
secuPWData pwdata = { PW_NONE, 0 };
PRArenaPool *dsaparena; PRArenaPool *dsaparena;
/* /*
@ -366,12 +365,7 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
if (slot == NULL) if (slot == NULL)
return NULL; return NULL;
if (passFile) { if (PK11_Authenticate(slot, PR_TRUE, pwdata) != SECSuccess)
pwdata.source = PW_FROMFILE;
pwdata.data = passFile;
}
if (PK11_Authenticate(slot, PR_TRUE, &pwdata) != SECSuccess)
return NULL; return NULL;
fprintf(stderr, "\n\n"); fprintf(stderr, "\n\n");
@ -379,7 +373,7 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
return PK11_GenerateKeyPair(slot, mechanism, params, pubkeyp, return PK11_GenerateKeyPair(slot, mechanism, params, pubkeyp,
PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/,
&pwdata /*wincx*/); pwdata /*wincx*/);
} }
/* /*